Tuesday, July 21, 2020

[KMC Controls] Backdoor in "BACnet Building Controller" (CVE-2020-7233)

The KMC BACnet Building Controller BAC-A1616BC has a "backdoor" on the embedded web service.




Web Server Functions

    • Built-in web configuration pages allow web browsers to configure I/Os and objects, monitor values and alarms (configuration/monitoring also available through TotalControl), and set-up users and passwords.
    • Upgradable firmware (without requiring physical access) through the web or Ethernet connection, allowing easy updates
    • Custom web graphical interface (created/published in TotalControl, ver. 1.7 or higher)

    Monday, July 20, 2020

    [Siemens] SIMATIC S7-200; DOS via modbus injection ( CVE-2020-7584 )


    In our laboratory we were able to identify and reproduce a vulnerability which enables the construction and delivery of Modbus protocol frames to the PLC, generating an absolute denial of service in the equipment.


    Thursday, July 16, 2020

    [OMRON] "NS WEB Interface": Login Bypass (CVE-2018-6624)

    Today we will be presenting a vulnerability classified as critical found in Omron NS 1.1 / 1.2 / 1.3 which allows remote attackers to bypass authentication via a direct request to the resource "/monitor.html"



    The vulnerability has been assigned the following CVE: "CVE-2018-6624"

    Friday, July 10, 2020

    [Schneider] Multiple (and known) vulnerabilities

    We will be reviewing some known vulnerabilities present in various Schneider Electric devices.


    The affected devices that we've used in the following proofs of concept are:
    • BMX P34 CPU B
    • STB NIP 2311

    Thursday, July 9, 2020

    [Schneider] TM241CE24R & TM251MESE: Login Bypass


    Today we are showcasing a few interesting facts regarding the PLC, TM241CE24R (M241) and TM251MESE (M251)




    This model of PLC (like most) has an embedded web service running by default on port 80. Immediately after accessing the web application, we are able to see the validation form which seems to work perfectly, except for a few interesting details...

    In most cases (every single time in my particular case), the credentials will be by default those of the manual: 'USER:USER'

    When we look at the form, the 'username' is already written. This is a serious issue as the potential attacker's job is already half-done.


    But let's say we come across one of these devices with a changed password. :



    The mechanism that an attacker uses to avoid this security system is as simple as changing the path of the url.

    For the PLC 241 model, they can just go from '/login.htm' to '/index2.htm', and in the case of the M251 model the change would be to "/index251.htm"





    It is worth mentioning that the aforementioned "bypass" does not by default enable all of the device's functionalities.


    Greetings,
    Industrial Army (@_industrialarmy)



    Monday, July 6, 2020

    [Schneider] PowerLogic PM5560: Cross Site Script via Cross Protocol Injections ( CVE-2018-7795 )

    The PowerLogic PM5560 product has several embedded services for remote management, one of which is web. This service has some inputs vulnerable to JS code injection. In other words, the web application is vulnerable to XSS.

     
















    We will now focus on an "alternative" medium used to permit its exploitation...